I’d be interested to hear your feedback. Over the top? Too Microsoft? Offensive already and I haven’t even taken the stage? Think they’ll bite?

Let me know in the comments section below.

—

Session Title: Calling Windows Admins Out – Where We Failed in 2017

Abstract:

WannaCry and NotPetya never should have occurred to begin with!

In this session, Duncan McAlynn, 6x Microsoft MVP, published author and industry columnist will break down the massive malware outbreaks of 2017 and how miserably sysadmins around the world failed to protect their organisations against these threats.

Attendees of this session will walk away with a clear understanding of the attack surfaces and vectors used, as well as the countermeasures that should have already been in place – going well beyond the MS17-010 security update.

By combining native Windows operating system features, Active Directory group policy objects, free solution accelerators and 3rd party products, corporations, government agencies and learning institutes around the globe could have and should have prevented these outbreaks from ever occurring.

It’s time to get off of our asses and as McAlynn often tweets #makeshithapn

NOTE: This is a “trigger warning” session not for the easily offended. You have been warned!

I’m sure many of you are aware of the Petya variant surge we’re facing today. Here’s what we know this far:

Original outbreak occurred in the Ukraine early this morning, impacting power companies, petrol stations, airlines, etc.

Since then, it has spread to systems throughout Europe and the U.S.

The code uses a variant of ExternalBlue along with Mimikatz running against LSASS.EXE for cred grabs, PSExec tools and WMIC to have a worm-like spread.

The email account associated with the bitcoin ransom demand ($300) has since been disabled so decryption keys are pretty much out of the question now.

As of 15:30 GMT-6 a total of 31 bitcoin payments have been made.

Unlike other ransomware, this not only encrypts an assortment of file extensions but upon forcing a system reboot, it will also encrypt the Windows MFR and display the ransom message.

There is no kill switch.

I will update this post as more details surface.

Including some code review screen scrapes from trusted analysts.

Kaspersky Update:

This is Kaspersky Lab statement on NotPetya ransomware attacks reported 27 June

Kaspersky Lab’s analysts are investigating the new wave of ransomware attacks targeting organizations across the world. Our preliminary findings suggest that it is not a variant of Petya ransomware as publically reported, but a new ransomware that has not been seen before. That is why we have temporarily named it NotPetya.

The company’s telemetry data indicates around 2,000 attacked users so far. Organizations in Russia and the Ukraine are the most affected, and we have also registered hits in Poland, Italy, the UK, Germany, France, the US and several other countries.

This appears to be a complex attack which involves several attack vectors. We can confirm that a modified EternalBlue exploit is used for propagation at least within the corporate network.

Kaspersky Lab experts aim to release new signatures, including for the System Watcher component as soon as possible and to determine whether it is possible to decrypt data locked in the attack – with the intention of developing a decryption tool as soon as they can.

We advise all companies to update their Windows software, to check their security solution and ensure they have back up and ransomware detection in place.

Kaspersky Lab corporate customers are also advised to:

• Check that all protection is activated as recommended; and that they have enabled the KSN/System Watcher component. • Use the AppLocker feature to disable the execution of any files that carry the name “perfc.dat”; as well as the• PSExec utility from Sysinternals Suite.

]]>http://www.windowssecurity.tips/petya-outbreak-what-we-know-so-far/feed/0WannaCrypt (WannaCry) Decryption Tool Now Available!http://www.windowssecurity.tips/wannacrypt-wannacry-decryption-tool-now-available/
http://www.windowssecurity.tips/wannacrypt-wannacry-decryption-tool-now-available/#commentsSat, 13 May 2017 20:04:51 +0000http://www.windowssecurity.tips/?p=259In May 2017, a large cyber attack was launched, infecting over 230,000 computers in 99 countries, demanding ransom payments in 28 languages. The attack has been described by Europol as “unprecedented in scale”.

Yeah, whatever. Blah, blah, blah… You just got pwned!

Had this site been infected with a file-less “drive-by” ransomware, your system would have likely fallen victim by now. Allow me to explain…

First, phishing schemes tend to play on the human factor by using crafty messages that play on the emotions of fear, excitement or the need to please others. In this scenario, you were likely excited to see that a decryption tool had been made available for the “WannaCry” ransomware variant. I can’t say I blame you. I’m sure many of the 200K+ victims worldwide feel quite the same! However, malicious actors will use these types of social trends as a means of enticing folks into falling for their tricks.

Now, combine this with the more recent introduction of JScript file-less malware with legitimate website advertising networks and you have a recipe for disaster. Well known sites, such as YouTube or Reuters, have been targeted by attackers preying on users’ implicit trust of the sites to inject their malwares into the advertisements. Using such methods, visitors don’t even have to hover over or click on the ads to become infected. All they have to do is visit a site that has had its ad network compromised. This is the method known as “drive-by”. No user interaction is required.

Such could have been the case here.

Lastly, with advancements that the hackers have implemented of late, the malware can be injected into memory and, as a result, avoid detection by most antivirus programs since they tend to only read the input/output of whatever is being written to or read from the hard disk.

So, how can this be avoided?

Well, ask yourself what you did prior to clicking on the link that brought you here.

Did you know and trust the source from which you received the link?

Did you know the full path of the website address (URL) that the link was directing you to? (i.e. your web browsers status bar)

Were you excited about the potential of a decryption tool?

All of these are behaviour patterns that we must educate our end users about.

Now, from a defensive approach, what can we do to help protect & defend our organisations against these threats?

Device Control – Such solutions may be able to prevent auxiliary connections from also being encrypted during land & expand process. These include UNC shares, connected USB devices & NAS-based storage.

Validated Backups – Those that have recovered from a ransomware infection without paying up have only been able to do so through weak encryption methods defeated by the decryption tools that brought you here to begin with or through good backups. Use the 3-2-1 rule and test them regularly.

Incident Response Plan – Let me just say that having a bitcoin wallet loaded and ready to go is NOT an incident response plan!

Next Generation Firewalls– NGFWs and their inherent stateful packet inspection can help shut down ransomware attacks before they happen. If you’re not up on this tech yet, you should seriously look into it. Write it down!

Threat Detection – Assume you’ve been breached! Failure to do so and respond accordingly proves one thing only: you deserve to be breached and you’ve been warned!

Firings – I fully believe that we’ve come to the point that we have to take more drastic measures to emphasise the point that end-users are the greatest, single inside threat to the organisation. Fire one or two (maybe a few!) after a second infraction and the point will get across: this will not be tolerated!

Bonus tip:Change default file file associations.

Perhaps the simplest approach of all… if an end-user invokes an action that would result in launching the malware through the Windows Scripting Host, PowerShell or the Command Shell and those file extensions are also associated with those scripting environments, then infection will ensue.

However, if those file extensions (i.e. .js, .ps1, .cmd, etc.) are re-associated with, say, notepad.exe, what will be the result? An infection or a confused end-user looking at a script within Notepad.exe? Think about it for a second… Pretty ingenious, right? Sometimes the simplest solution is the one most easily overlooked.

Do you know a fellow SysAdmin that could benefit from this exercise? Perhaps you’re a member of a Facebook group or Twitter list that includes like-minded professionals? Please consider sharing this post with them in hopes of bringing about a meaningful awareness of what we as IT/InfoSec professionals are charged with on a daily basis. We have a job to do here, y’all. Let’s get it done!

P.S. Aren’t you glad I’m an ethical hacker? Tick, tock… Tick tock… Time is running out. What are you still doing here?

About the Author

As a nearly 20-year veteran of Information Technology with a laser focus on Systems & Security Management, Duncan McAlynn, is a driven and passionate IT professional. He is a contributing author/editor to several books, magazine publications, and websites as well as a popular presenter at many Microsoft events. These activities have led to him receiving the Microsoft Most Valuable Professional award for six consecutive years and being named a member of the FBI InfraGard division.

Duncan has held a number of certifications and awards including 6x Microsoft MVP, MCITP, MCSA, MCSE, & CISSP.

If your organization is like most, you likely have clearly defined processes in place for deploying newly released Microsoft security updates each month. If not, you should. We’ve only had 15 years to hone the process, dating back to when Bill Gates dropped the hammer following the massive “Melissa, I Love You” VBScript outbreak. The result of the worm was a halt to all new product development and an immediate review of existing code sets across all Microsoft products. In the following year, this Trustworthy Computing Initiative resulted in the birth of what we have all come to know and love (or hate) as Patch Tuesday. This cyclic schedule of software update releases on the second Tuesday of each month has allowed us to prepare our internal resources to assess applicability, test compatibility and deploy those updates in a structured manner, including obtaining any required change management board approvals.

In short, “We got this!”.

But, do we really got a handle on it? Do you believe your company has a solid grasp on its patch management? Let’s take a look at the facts.

According to data obtained from cvedetails.com, no more than fifteen percent (15%) of all the known vulnerabilities reported over the past three-year period have affected the Microsoft platforms. By that I mean all Microsoft operating systems (both desktop and server versions), Office, Internet Explorer, Skype, Visual Studio, SQL Server, SharePoint, BizTalk, you name it. If it has had the software giant’s name associated with the vulnerable executable, it has only ranged between 9-15% of all the reported vulnerabilities.

So, what about the other 85%? That is where all the third-party applications and non-Microsoft operating systems come into play. In most corporate environments, you’re going to have these applications like PDF readers, Internet browsers, Java-based applications, networking tools, graphic programs and the like. All of these software applications have update releases for new versions or security patches for existing versions. And, as the cloud becomes more and more a part of our daily lives, it becomes increasingly more important that we’re applying these third-party product updates in a timely and consistent manner to protect the attack surfaces that they are introducing as a result of the applications being connected to the Internet.

When I’m giving conference and user group presentations on this topic throughout the country, I tend to ask the audience “Why are you not being as diligent with patching your third-party products as you are your Microsoft updates each month?”, I hear the same reasons over and over again. See if you can relate to them:

“We don’t have the time”

“We don’t have the resources”

“We don’t have the tools available”

This is the recurring theme that I am constantly faced with and I completely understand where they are coming from. In a large-scale enterprise environment with global operations and tens of thousands of endpoints, just handling the Microsoft updates can be a vicious, never-ending cycle requiring at least one full headcount administrator to manage the pilot, user acceptance and production deployments. To illustrate this point, here is a typical approach such an organization might take for patching just Microsoft products each month:

Figure 1 – Patch Release Cycle

As you can see from the figure above, by the time one can get through the deployment cycle of a month’s batch of updates, the next months’ worth is already upon them. It’s a relentless onslaught and quite often a thankless task for the poor soul that is charge with it.

So, what is the solution for our poor SecOps engineer? An integrated solution that can help them with addressing the other 85% percent by utilising the existing investments the organization has made in their patch management framework.

Today, most corporations worldwide are using Microsoft’s Windows Server Update Service component to be able to push out the products from Redmond. Windows Server Update Service (WSUS) is a capable solution but has its limitations. For SMBs, it’s a perfect fit – just synchronise it with WindowsUpdate.com, approve your updates and let it go. Through group policy, the endpoints receive their updates and report back their patch compliance status. Done!

Figure 2 – Windows Server Update Services

For larger, more complex corporate environments requiring more granularity of control, time of deployments, network utilisation and better reporting, WSUS can be integrated into their System Center Configuration Manager (SCCM) product to extend and enhance WSUS. It will use all the existing infrastructure investments in SCCM to improve the scalability of WSUS, provide much more control over to whom and when patches are deployed and much more comprehensive reporting capabilities.

But, back to the point of our poor SecOps guy tasked with also updating Java, Adobe Reader, Chrome, Notepad++ and the like, how is he to integrate these third-party updates into WSUS or SCCM? Thankfully, Microsoft has provided an entry-level solution accelerator named System Center Updates Publisher.

Figure 3 – System Center Updates Publisher

Despite its name, System Center Updates Publisher (SCUP), the product actually first synchronizes its catalogues from the third-party vendor’s website into WSUS, and through WSUS’ native functions, will then synchronize with SCCM.

So, regardless of whether you have SCCM deployed or not, you’re able to use SCUP to integrate the following vendor update catalogues into your WSUS/SCCM environment(s):

Adobe Acrobat 11

Adobe Acrobat X

Adobe Flash Player

Adobe Reader 11

Adobe Reader X

Dell Business Client Updates

Dell Server Updates

Fujitsu Technology Solutions

HP Client Updates

Hewlett Packard Enterprise

Now as you may have already noticed, the list of available products is pretty slim. The reality is that Microsoft hasn’t really seen the independent software vendor (ISV) support that they had hoped to with SCUP. In fact, Adobe is the only ISV to get on board with it. The other three vendors are all hardware, providing firmware and driver updates.

So, how is one to go about fully addressing the problem at hand with the other 85%? That is a void Microsoft has intentionally left to the partner community to fill. Over the past several years a few key players have emerged to help organizations patch third-party applications by natively integrating into WSUS, SCCM or both.

DISCLAIMER: I am employed by one such partner company, but for the purposes of this article I will refrain from calling out any specific vendor, but instead speak to what you should be looking for in any solution that addresses third-party patching – my company’s product aside.

What should an organization look for in a third-party patch management solution? The following table includes a list of items that I would include in any assessment or proof-of-value project for third-party patch management. I hope it will be of use to you during your evaluation process.

Table 1 – Patch Management Solution Selection Criteria

Third-Party Patching Solution Selection Criteria

Critical

Optional

Not Required

General Features

The solution is dedicated and specialized for patching the 3rd-party applications via Microsoft WSUS/SCCM.

It is scalable and can grow with Microsoft WSUS/SCCM without restrictions.

True plugin-based and seamlessly integrated into Microsoft SCCM environment without requiring additional software components or separate agents to be installed.

The solution provides ‘normalized’ content where different content from various vendors as well as the native content provided by WSUS/SCCM itself are all treated in the same way, and don’t require custom modification or scripting. This results in all content to be viewed, deployed and reported on in a consistent fashion.

It covers patch content of the most vulnerable/targeted and most common 3rd-party applications in corporate networks. This includes (but not limited to) content from Adobe, Apple, Citrix, Oracle, VMware, Google, Mozilla, etc.

Provides the ability for automatic subscriptions on product level, where any new content for the selected product(s) is automatically retrieved once released by the vendor(s).

Includes access to multiple versions of software update content (not only the latest version) for more convenience and meeting corporate/enterprise needs. This also avoids unintended version upgrades that can result in unwanted or negative outcomes.

(Thank you to Andrew H. Bradley III for his assistance with reviewing this article.)

About the Author

As a nearly 20-year veteran of Information Technology with a laser focus on Systems & Security Management, Duncan McAlynn, is a driven and passionate IT professional. He is a contributing author/editor to several books, magazine publications, and websites as well as a popular presenter at many Microsoft events. These activities have led to him receiving the Microsoft Most Valuable Professional award for six consecutive years and being named a member of the FBI InfraGard division.

Duncan has held a number of certifications and awards including 6x Microsoft MVP, MCITP, MCSA, MCSE, & CISSP.

The audio driver installed on some HP laptops includes a feature that could best be described as a keylogger, which records all the user’s keystrokes and saves the information to a local file, accessible to anyone or any third-party software or malware that knows where to look.

This one is particularly interesting because its default behavior is to log locally to a file, but if that file doesn’t exist or can’t be written to, then it falls back to the API stream which with a little crafty interception could lead to real-time capturing of a user’s keystrokes including username/passwords, URLs visited, email contents, etc.

Obviously, this presents a huge security risk for enterprise-class HP customers, as the majority of the models impacted by the vulnerability are intended for the corporate environments of the world. Yet, HP has to confirm or comment on the matter.

So, identifying the 17 different Microsoft operating systems potentially impacted by this vulnerability is the bigger challenge. To that end, I’ve provided a simple SCCM query to build a collection of systems based upon the 28 models called out in modzero’s research. I’m monitoring this vulnerability with multiple alert channels and will update the collection query if new data unfolds.

If you find this post helpful, please consider sharing so others may be able to help protect their organizations as well. Thank you!

Unless you’ve been completely off the grid for the past week, you’re likely aware of the huge vulnerability in the Microsoft anti-malware engine (mpengine.dll) found in many of the software giant’s security products.

However, many are still confused by Microsoft’s response, leaving them unsure how to update their systems, verify they’re up-to-date and report on the status. Thankfully, the following link covers everything you need to know and do to protect against this “crazy bad” vulnerability (as the Google Project Zero team members refer to their finding).

We have a new, albeit amateurish, ransomware variant on the loose. This one haphazardly begins deleting files every hour until the ransom is paid. Foolish, since it could take 2-3 days for the victims in question to get setup with a bitcoin wallet. In the meantime they can kiss away ~50 files in the process. Clock resets every 60mins. Tick, tock…

Thankfully, there is a decryptor tool now available for the destructive BitKangaroo ransomware variant.

As I sit here looking at my LinkedIn notifications, I’m disappointed to see one of my own co-workers showing up in the list of those celebrating a birthday today. You may be asking why the disappointment. Allow me to explain…

LinkedIn is the de facto standard for online professional networking. However, the site is also a bit of a bully when it comes to completeness of your profile – strongly encouraging its membership to provide full name (including maiden/previous names), high schools/universities attended, previous & current workplaces, professional memberships, birthday, contact information, etc. Failure to fully complete each of these items will lead to nagging notifications when logging into the site. A profile completeness meter maintains your progress, rewarding you with an “All Star Profile” badge once you’ve met the Sunnyvale, CA company’s objectives.

So, how does your all star profile help hackers? Allow me to illustrate the flow of a targeted spear phishing attack. For those unfamiliar with the term, Spearphishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data.

Social Profile Phishing Scheme

Identify Employees of Targeted Organization Through LinkedIn FeaturesLinkedIn has the search capabilities for all company pages, including employees that have affiliated themselves with the organization.

Uses Data from Profile to Profile Target Employee & Craft Phishing Email MessagingThe more complete the profile page is, the easier the task is for the hacker to craft a believable phishing email to encourage the user to view the email and open the attachment containing the malware payload.

Payload DeliveredThe ransom/malware payload is in an attached , password protected .ZIP file trying to defeat A/V scanners, with a note in the body of the email that the password is the birthdate of the recipient. In the anxiousness to see these graduation pics, the recipient bypasses the macro warnings from the payload.

Land & ExpandDepending on the intent of the threat actor, at this point files on the system could be encrypted to solicit a ransom payment, or lay in wait working in the background to expand its reach within the organization & increase its privileges on this system and others as well.

Payday!Whether hitting a payday in the sense of bringing the company to the point of having to pay the ransom to get their files back or using the newfound system(s) access for other malicious intent, the hacker has won. And, it all started with the employee’s All Star LinkedIn profile.

As you can see, this is a very simple and effective means to use social media profiles to provide enough bait for the recipient to fall for the phishing scheme and take a bite. Here I pick on LinkedIn, but they’re all susceptible to the concept. Unfortunately, being a all star on LinkedIn isn’t going to win you any brownie points or badges with the folks in Information Security. So stay safe, stay protected and limit the amount of information you share with your social media profiles.